b'MARCH 18, 2013\n  AUDIT REPORT\n\n\n\n\n                                                      OFFICE OF AUDITS\n\n\n\n\n   NASA\xe2\x80\x99S PROCESS FOR ACQUIRING INFORMATION\n     TECHNOLOGY SECURITY ASSESSMENT AND\n              MONITORING TOOLS\n\n\n\n\n                                           OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                      National Aeronautics and\n                                                          Space Administration\n\n\n\n\n  REPORT NO. IG-13-006 (ASSIGNMENT NO. A-11-021-00)\n\x0cFinal report released by:\n\n\n\n\nPaul K. Martin\nInspector General\n\n\n\n\nAcronyms\n\nACES         Agency Consolidated End-user Services\nAPM          Application Portfolio Management\nAVAR         Agency Vulnerability Assessment and Remediation\nCIO          Chief Information Officer\nCISO         Chief Information Security Officer\nCPIC         Capital Planning and Investment Control\nDCIO         Deputy Chief Information Officer\nELMT         Enterprise License Management Team\nFISMA        Federal Information Security Management Act\nFY           Fiscal Year\nGRC          Governance, Risk, and Compliance\nIT           Information Technology\nITSC         Information Technology Security Center\nNPR          NASA Procedural Requirements\nOCIO         Office of the Chief Information Officer\nOCSO         Organizational Computer Security Official\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nRMS          Risk Management System\n\n\n                                                               REPORT NO. IG-13-006\n\x0cMARCH 18, 2013\n\n\n\n\n                                                                                              OVERVIEW\n\n                NASA\xe2\x80\x99S PROCESS FOR ACQUIRING INFORMATION\n                  TECHNOLOGY SECURITY ASSESSMENT AND\n                           MONITORING TOOLS\n                                                                                                 The Issue\n\n   NASA\xe2\x80\x99s information technology (IT) infrastructure \xe2\x80\x93 a complex and diverse array of\n   more than 500 computer systems with 140,000 components spread across numerous\n   locations \xe2\x80\x93 plays a critical role in virtually every aspect of the Agency\xe2\x80\x99s mission, from\n   controlling spacecraft and processing scientific data to enabling NASA personnel to\n   collaborate with colleagues around the world. At the same time, the Agency\xe2\x80\x99s high\n   profile and use of advanced technology coupled with the relatively large size of its\n   networks makes it an attractive target to cyber attackers. To thwart such attacks, NASA\n   must ensure that its IT systems and their associated components are regularly\n   safeguarded, assessed, and monitored. To accomplish this task, the Office of the Chief\n   Information Officer (OCIO) spends at least $58 million annually on IT security, a portion\n   of which is used to acquire and manage security assessment and monitoring tools.\n\n   Federal laws and regulations require Federal Government agencies to develop IT security\n   policies and procedures, including Agency-wide IT security programs. In addition, the\n   Information Technology Management Reform Act of 1996 (Clinger-Cohen) requires\n   NASA and other agencies to identify opportunities to achieve efficiencies, improve\n   integration and security, and ensure alignment of IT assets with the agency mission. The\n   Office of Management and Budget (OMB) also requires agencies to coordinate their IT\n   management efforts to eliminate duplicative IT investments, pool purchasing power\n   across respective organizations, drive down costs, and improve IT services. 1 NASA\xe2\x80\x99s\n   Strategic Management Council directed the OCIO to implement an application portfolio\n   management (APM) process with the goal of satisfying the greatest number of IT\n   requirements with the fewest applications.2\n\n   The NASA Office of Inspector General (OIG) initiated this audit to review NASA\xe2\x80\x99s\n   policies and procedures related to its acquisition of IT security assessment and\n   monitoring tools. Because the Agency was unable to provide a complete inventory of the\n   tools it purchased to manage nine IT security control areas, we distributed questionnaires\n   to IT security personnel at NASA Headquarters and all Centers. The questionnaire\n\n   1\n       OMB Memorandum M-11-29, \xe2\x80\x9cChief Information Officer Authorities,\xe2\x80\x9d August 8, 2011.\n   2\n       APM is a process that provides visibility of IT assets allowing for better decision-making, maintaining a\n       user-friendly inventory of applications (including cost data), and identifying opportunities for reducing\n       duplication among applications.\n\n\n\nREPORT NO. IG-13-006\n\x0c                                                                                      OVERVIEW\n\n\n\n     response rate was 73 percent (111 responses out of 153 questionnaires). See Appendix A\n     for details of the audit\xe2\x80\x99s scope and methodology. See Appendix B for information about\n     the questionnaire.\n\n     Results\n\n     NASA has not fully implemented a process for identifying its IT security assets, a\n     necessity to meet federally mandated requirements and improve IT acquisition outcomes.\n     Lack of such controls result in missed opportunities to capitalize on efficiencies and\n     leverage purchasing power on critical IT security investments. NASA could use two\n     internal management control processes \xe2\x94\x80 Capital Planning and Investment\n     Control (CPIC) and APM \xe2\x94\x80 to improve visibility over purchases of IT security\n     assessment and monitoring tools. The CPIC process (mandated by Clinger-Cohen) is\n     intended to capture an agency\xe2\x80\x99s major IT investments and achieve cost savings by\n     identifying and eliminating redundant purchases. To facilitate CPIC requirements,\n     NASA uses its IT Investment Management System (ProSight) to collect and aggregate IT\n     investment cost data. However, we found that the ProSight data lacks sufficient detail to\n     identify specific IT security tool requirements, associated maintenance costs, or tools\n     planned for purchase, and therefore cannot be used to prioritize investments or identify\n     potential cost savings. We learned that Marshall Space Flight Center (Marshall)\n     modified ProSight to enable collection of more specific data on IT security assessment\n     and monitoring tools and Marshall IT personnel developed a software application using a\n     commercial off-the-shelf product to provide rapid analysis and review of this data. Both\n     initiatives have enabled Marshall personnel to better document, assess, and prioritize\n     Center-based IT investments.\n\n     The APM management control process also developed to meet a Clinger-Cohen\n     requirement) organizes IT applications into relevant portfolio categories to enable\n     performance assessments of individual assets and the portfolio as a whole. Proper use of\n     APM provides visibility of IT assets and enables more informed decision-making, a\n     user-friendly inventory of applications (including cost data), and opportunities for\n     reducing duplication among applications. In April 2007, NASA\xe2\x80\x99s Strategic Management\n     Council directed the Chief Information Officer (CIO) to implement the APM process\n     with the goal of satisfying the greatest set of IT requirements using the fewest\n     applications. However, according to Agency officials the APM process was discontinued\n     in June 2011 due to restructuring within the OCIO and the inability to maintain an\n     accurate inventory of application data.\n\n     OCIO personnel interviewed as part of this audit stated they were in the process of\n     gathering data on IT security assessment and monitoring tools used Agency-wide. In our\n     judgment, NASA could improve visibility over its IT portfolio and identify opportunities\n     for reducing duplication among all applications by re-instituting the APM process.\n\n     In addition to the CPIC and APM processes, NASA\xe2\x80\x99s Enterprise License Management\n     Team (ELMT) is responsible for evaluating requirements to determine whether cost\n\n\nii                                                                        REPORT NO. IG-13-006\n\x0cOVERVIEW\n\n\n\n   savings can be achieved by consolidating purchases. According to Agency officials, the\n   ELMT works with NASA\xe2\x80\x99s OCIO and Office of Procurement to increase efficiency in\n   purchasing and utilizing software. ELMT seeks to identify common software\n   requirements and consolidate common software purchases throughout the Agency;\n   conduct market research and business case development; secure appropriate volume\n   discounts for applicable licenses; and distribute unused licenses by negotiating license\n   transferability. To maximize its effectiveness, the ELMT requires comprehensive\n   information on Agency IT technical and purchasing requirements. However, we found\n   that such data is not readily available. Despite this limitation, ELMT officials said they\n   have achieved $5.9 million in reduced software costs by leveraging NASA\xe2\x80\x99s purchasing\n   power and by eliminating redundant purchases and related maintenance agreements.\n\n   Because NASA does not have a process that captures, consolidates, and assesses IT\n   security tool requirements across the Agency, centralized purchases of tools to meet\n   common IT security tool requirements do not regularly occur. For example, our survey\n   showed that NASA spent $25.7 million on 242 separate purchases of IT security\n   assessment and monitoring tools across nine control areas currently in use as of June\n   2012 with little or no coordination between IT security officials. This inability to\n   consolidate requirements and centralize purchases limits NASA\xe2\x80\x99s efforts to gain\n   efficiencies on critical IT investments.\n\n   In addition, NASA\xe2\x80\x99s decentralized organizational structure contributes to an ineffective\n   IT investment management process. For example, we identified the following purchases\n   across the Agency:\n\n      \xc2\xb7   NASA OCIO spent $7.3 million to purchase and $1.8 million in annual\n          maintenance costs for Agency-wide IT security assessment and monitoring tools;\n\n      \xc2\xb7   NASA Centers spent $5.9 million to purchase and $2.2 million to annually\n          maintain assessment and monitoring security tools that perform the same or\n          similar IT security management functions; and\n\n      \xc2\xb7   Individual organizations that supported project systems at 10 locations spent\n          $6.7 million to purchase and $1.8 million in annual maintenance costs for\n          additional IT security assessment and monitoring tools with similar functions.\n\n   NASA\xe2\x80\x99s lack of centralized and readily available information on current and planned IT\n   security tool purchases diminishes opportunities to save money by consolidating similar\n   requirements and purchases. In particular, NASA\xe2\x80\x99s IT investment management and\n   reporting process has not been tailored to capture the data Agency IT officials need to\n   understand the products the Agency currently owns or plans to purchase. We believe\n   significant opportunities exist for Agency officials to reduce unnecessary or redundant\n   purchases. For example:\n\n      \xc2\xb7   Vulnerability Management Tools. In 2008, the OCIO spent $364,973 to\n          purchase McAfee Foundstone/McAfee Vulnerability Manager as the\n\n\nREPORT NO. IG-13-006                                                                            iii\n\x0c                                                                                                          OVERVIEW\n\n\n\n                Agency-wide solution for vulnerability management on NASA\xe2\x80\x99s 140,000 system\n                components. The annual maintenance cost for this software exceeds $200,000.\n                Two years later, NASA acquired vulnerability management services through the\n                Consolidated End-user Services (ACES) contract, which duplicates vulnerability\n                management services on 32,200 of NASA\xe2\x80\x99s system components.\n\n            \xc2\xb7   Governance, Risk, and Compliance (GRC) Tools. NASA acquired three\n                different tools for managing GRC \xe2\x94\x80 Risk Management System (RMS),\n                Information Technology Security Center (ITSC), and Rsam. These products were\n                developed or purchased to meet Federal Information Security Management\n                Act (FISMA) requirements to manage system security plans, track Plan of Action\n                and Milestones, and monitor the security posture of NASA\xe2\x80\x99s systems and\n                associated components. The tools purchased performed the same or similar\n                IT security management functions. The OCIO purchased RMS as an\n                Agency-wide solution for $1.5 million with annual maintenance costs of\n                $273,000. Marshall internally developed ITSC, which has annual maintenance\n                costs of $361,000. Finally, four NASA locations made a combined purchase of\n                Rsam at a total cost of $372,339, with annual maintenance costs of $80,412. The\n                Rsam purchase occurred after the OCIO\xe2\x80\x99s RMS purchase and both purchases\n                were made after Marshall\xe2\x80\x99s development of ITSC, which was available for use by\n                all NASA organizations.\n\n            \xc2\xb7   Log Event Management Tools. The OCIO, Chief Information Security\n                Officers (CISOs), and Organizational Computer Security Officials (OCSOs)\n                reported making 12 separate purchases of Splunk \xe2\x94\x80 a product used to log details\n                of potential security threats on networks and systems \xe2\x94\x80 at a cost of $1.3 million\n                with annual maintenance costs of $237,245. Even when organizations were\n                located at the same Center, coordination and consolidation of purchases did not\n                consistently occur. For example, two of these purchases were made separately by\n                projects that resided at Goddard Space Flight Center.\n\n            \xc2\xb7   Firewall/Boundary Protection Tools. The OCIO, CISOs, and OCSOs reported\n                making 20 separate purchases of Juniper boundary protection tools at a total cost\n                of $3.1 million with annual maintenance costs of $450,135.3\n\n     We believe NASA should integrate the processes used by CPIC, APM, and ELMT to\n     obtain more detailed information on IT security assessment and monitoring tool\n     requirements across the Agency. We acknowledge that not all of the purchases we\n     identified created duplication or could have been consolidated; however, in our judgment\n     consolidating Agency requirements will allow NASA to more efficiently manage its\n     widely distributed IT systems and the funds it allocates for IT security. NASA\xe2\x80\x99s ability\n     to identify and consolidate IT security tool requirements prior to making purchase\n\n\n     3\n         Firewall/boundary protection tools protect against external and internal intrusions of computer networks.\n\n\n\niv                                                                                         REPORT NO. IG-13-006\n\x0cOVERVIEW\n\n\n\n   decisions is imperative to achieve cost savings and standardize IT security tools\n   Agency-wide.\n\n   Management Action\n\n   We recommended that the CIO modify the CPIC process to capture detailed IT security\n   requirements and re-establish the APM process to enable greater visibility over existing\n   inventory and planned acquisition of IT assessment and monitoring tools. Furthermore,\n   NASA should consider routing the captured data acquired from the revised CPIC process\n   to ELMT for review and potential consolidation of IT security tool purchases.\n\n   In response to a draft of this report, the CIO concurred with our recommendations and\n   stated that the OCIO plans to complete responsive actions by the end of fiscal\n   year (FY) 2015. We consider the OCIO planned actions responsive and will close the\n   recommendations upon verification that the actions are complete. The Agency\xe2\x80\x99s\n   comments in response to a draft of this report are reprinted in Appendix C.\n\n\n\n\nREPORT NO. IG-13-006                                                                          v\n\x0c\x0cMARCH 18, 2013\n\n\n\n\n                                                         CONTENTS\n\n   INTRODUCTION\n      Background _________________________________________ 1\n      Objectives __________________________________________ 2\n\n   RESULTS\n      NASA Needs to Improve Its Process for Acquiring Information\n        Technology Security Assessment and Monitoring Tools _____ 3\n\n   APPENDIX A\n      Scope and Methodology _______________________________ 13\n      Review of Internal Controls ____________________________ 14\n      Prior Coverage ______________________________________ 15\n\n   APPENDIX B\n      Questionnaires ______________________________________ 16\n\n   APPENDIX C\n      Management Comments ______________________________ 17\n\n   APPENDIX D\n      Report Distribution___________________________________ 20\n\n\n\n\nREPORT NO. IG-13-006\n\x0c\x0cMARCH 18, 2013\n\n\n\n\n                                                                     INTRODUCTION\n\n\nBackground\n\n   NASA has a diverse information technology (IT) infrastructure that encompasses more\n   than 500 computer systems with 140,000 components distributed across the country. The\n   organizational structure is also complex, with individual NASA Centers and tens of\n   thousands of contractors supporting hundreds of NASA projects, many using NASA\xe2\x80\x99s\n   computer networks to process, store, and transmit sensitive information. Concurrently,\n   the large number of NASA systems and importance of the information on these systems\n   makes NASA an attractive target to cyber attackers. To prevent and thwart such attacks,\n   NASA must ensure that its IT systems and their associated components are safeguarded\n   and regularly assessed and monitored. NASA uses a variety of IT security assessment\n   and monitoring tools to respond to ever-evolving IT security threats. However, the\n   decentralized nature of its organizational structure makes implementation of an effective\n   IT security investment management process a continuous challenge.\n\n   NASA\xe2\x80\x99s Chief Information Officer (CIO) and the Deputy CIO for IT Security (DCIO)\n   are responsible for developing IT security policies and procedures and for implementing\n   an Agency-wide IT security program. The CIO and DCIO work from the\n   Headquarters-based Office of the Chief Information Officer (OCIO). In addition, each\n   Center has a CIO in charge of Center IT operations, and each Center CIO has a Chief\n   Information Security Officer (CISO) responsible for IT security operations. In most\n   cases, the Center CIO also assigns multiple Organizational Computer Security\n   Officials (OCSOs) to the CISO to facilitate implementation and oversight of information\n   security within their organizations. Further, NASA\xe2\x80\x99s three Mission Directorates\n   (Aeronautics Research, Science, and Human Exploration and Operations) have IT points\n   of contact who coordinate with the OCIO. All of these individuals play a key role in\n   ensuring the IT security of NASA\xe2\x80\x99s networks and components and, therefore, are\n   involved in determining what IT security assessment and monitoring tools the Agency\n   needs.\n\n   NASA\xe2\x80\x99s CIO has statutory responsibility through the Information Technology\n   Management Reform Act of 1996, also known as the Clinger-Cohen Act, to eliminate\n   duplicative IT investments and applications. In addition, the Office of Management and\n   Budget (OMB) requires that CIOs work with Chief Financial Officers and Chief\n   Acquisition Officers to eliminate duplicative IT investments, pool purchasing power, and\n   improve IT services. To help meet these objectives, NASA developed a Capital Planning\n   and Investment Control (CPIC) process to achieve cost savings by eliminating redundant\n   purchases. Further, NASA\xe2\x80\x99s Strategic Management Council directed the NASA CIO to\n   work with the Office of Program Analysis and Evaluation and the Office of the Chief\n   Engineer to develop an Application Portfolio Management (APM) process that organizes\n\n\n\nREPORT NO. IG-13-006                                                                           1\n\x0c                                                                                 INTRODUCTION\n\n\n\n    the Agency\xe2\x80\x99s investments in IT tools and applications to ensure integration and eliminate\n    unnecessary duplication. NASA Procedural Requirements (NPR) 2800.1B, \xe2\x80\x9cManaging\n    Information Technology,\xe2\x80\x9d March 20, 2009, also requires an APM process. Finally,\n    NASA\xe2\x80\x99s Enterprise License Management Team (ELMT) evaluates software requirements\n    to determine whether cost savings can be achieved by consolidating purchases.\n\nObjectives\n\n    The objective of this audit was to review NASA\xe2\x80\x99s policies and procedures related to the\n    acquisition of IT security assessment and monitoring tools. Details of the audit\xe2\x80\x99s scope\n    and methodology are in Appendix A.\n\n\n\n\n2                                                                         REPORT NO. IG-13-006\n\x0cRESULTS\n\n\n\n\n                          NASA NEEDS TO IMPROVE ITS PROCESS FOR\n                             ACQUIRING INFORMATION TECHNOLOGY\n                                       SECURITY ASSESSMENT AND\n                                             MONITORING TOOLS\n\n   NASA\xe2\x80\x99s IT investment management process does not fully capture, assess, and\n   consolidate IT security tool requirements across the Agency and therefore misses\n   opportunities to capitalize on efficiencies and leverage purchasing power on critical IT\n   security investments. NASA officials reported spending $25.7 million on 242 separate\n   purchases of IT security assessment and monitoring tools currently in use as of June\n   2012. We found that officials made these purchases with little or no coordination and\n   identified specific purchases that could have been consolidated to better leverage the\n   Agency\xe2\x80\x99s purchasing power. With improved awareness of its IT portfolio and visibility\n   over its purchases, NASA could reduce its costs for IT security assessment and\n   monitoring tools and potentially save millions of dollars annually in maintenance costs.\n\n   NASA\xe2\x80\x99s IT Investment Management and Reporting Process\n   Could be Tailored to Capture and Review IT Security\n   Investment Data\n\n   Despite federally mandated requirements, NASA has not fully implemented a\n   coordinated approach to identifying its IT requirements and improving IT acquisition\n   outcomes. The Clinger-Cohen Act and OMB require agencies to review IT investments\n   to identify opportunities to achieve efficiencies and pool their purchasing power across\n   entire organizations to drive down costs and improve IT services. NASA created the\n   ELMT in April 2008 to help the Agency determine whether it could achieve cost savings\n   by consolidating IT purchases. In addition, the Agency has two internal management\n   control processes \xe2\x94\x80 CPIC and APM \xe2\x94\x80 that are intended to identify NASA\xe2\x80\x99s IT\n   investments and eliminate redundant purchases to achieve cost savings. However, NASA\n   has not used these processes to capture detailed IT security assessment and monitoring\n   tool investment data. If NASA standardized the CPIC process and implemented the IT\n   application data capture functionality for all users, the Agency could gain a better\n   understanding of its IT portfolio and greater visibility over its purchases. Moreover, the\n   resulting data could help the ELMT negotiate more cost-effective purchase agreements.\n\n   Capital Planning and Investment Control. The Clinger-Cohen Act mandates that each\n   Federal agency have a CPIC process to improve IT management through reductions in IT\n   operations and maintenance costs and increased efficiency of operations. CPIC is a\n   decision-making process for ensuring IT investments integrate strategic planning,\n   budgeting, procurement, and management of IT in support of agency missions and\n   business needs. NASA\xe2\x80\x99s IT Investment Management System (ProSight), managed by the\n   OCIO, collects and aggregates IT investment cost data as part of the CPIC process.\n\n\n\nREPORT NO. IG-13-006                                                                            3\n\x0c                                                                                                      RESULTS\n\n\n\n    However, we found that the CPIC process is not consistently implemented at each Center\n    and there is little collaboration between Centers.\n\n    NASA\xe2\x80\x99s CPIC process captures cost data on high value IT investments (major\n    commodities) and generally focuses little on the details of low-value purchases\n    (non-major commodities such as IT security tools). Further, the data collected in\n    ProSight is not sufficiently detailed to identify specific IT security tool requirements,\n    maintenance costs, or tools planned for purchase. Although the functionality exists to\n    capture most IT application data, ProSight is used primarily to capture cost information\n    on major commodities. As a result, aggregate data in ProSight does not provide enough\n    detail to identify purchase and maintenance costs associated with IT security tools or\n    information about planned IT security purchases.\n\n    Although NASA is not using ProSight to collect data on all IT security purchases,\n    officials at Marshall have modified the system to collect detailed IT application data at\n    their location. Marshall personnel also developed a software application using a\n    commercial off-the-shelf product to facilitate rapid analysis and review of IT investment\n    data contained within ProSight. Marshall\xe2\x80\x99s IT security staff have used the modified\n    program to better document and catalog a detailed assessment of existing IT investments,\n    establish an inventory of applications for internal and external stakeholders, and identify\n    opportunities to reprioritize and rebalance IT assets and investments in response to\n    changing needs and demand. Currently, only Marshall personnel use this capability\n    although it is available to other Centers.\n\n    Application Portfolio Management (APM). The primary objective of an APM process\n    is to provide an overall view of existing IT application assets to improve the performance\n    of individual assets within the portfolio as well as the performance of the portfolio as a\n    whole. 4 In April 2007, NASA\xe2\x80\x99s Strategic Management Council, consistent with Federal\n    requirements established in the Clinger-Cohen Act, directed the NASA CIO to develop\n    an APM process that organizes the Agency\xe2\x80\x99s investments in IT tools and applications to\n    ensure integration and eliminate unnecessary duplication. 5 However, use of APM was\n    discontinued as part of an OCIO reorganization in June 2011 and the OCIO\xe2\x80\x99s inability to\n    maintain a reliable inventory of IT applications.\n\n    NASA\xe2\x80\x99s APM goals were to develop and maintain a user-friendly inventory of NASA\n    applications with cost data; identify opportunities for reducing duplication among\n    applications; reduce future duplication by providing increased visibility into how existing\n    NASA applications could meet mission and business needs; and enable stakeholders to\n    assess how well IT applications are performing. During the course of our review, OCIO\n    personnel stated that they were gathering data on IT security assessment and monitoring\n\n    4\n        A comprehensive APM program would include all IT software assets owned by the Agency. These assets\n        would include widely used software such as Microsoft\xe2\x80\x99s SQL, Project, and SharePoint, Oracle\n        applications, and internally developed software applications.\n    5\n        The Strategic Management Council, chaired by the NASA Administrator, serves as the Agency\xe2\x80\x99s senior\n        decision-making body for strategic planning. The NASA CIO is also a member of this Council.\n\n\n\n4                                                                                    REPORT NO. IG-13-006\n\x0cRESULTS\n\n\n\n   tools used Agency-wide, but these efforts to date were incomplete. We believe NASA\n   could improve visibility over its IT portfolio and identify opportunities for consolidating\n   and reducing duplication among all applications by reestablishing an APM process.6\n\n   Enterprise License Management Team (ELMT). NASA has previously consolidated\n   software purchases to leverage its purchasing power. In 2008, the Agency established the\n   ELMT at the NASA Shared Service Center to work with the OCIO and the Headquarters\n   Office of Procurement to increase efficiency in purchasing and utilizing software\n   applications. ELMT seeks to identify widespread common software requirements, reduce\n   software and maintenance costs on initial purchase through consolidation, reduce the\n   number of procurements, and encourage common software versions and configurations\n   throughout the Agency. The team maintains an enterprise license database, and all\n   NASA Centers are encouraged to consult with the ELMT to determine whether existing\n   agreements can fulfill their software needs before making a new purchase. ELMT also\n   conducts market research to reduce overall license and maintenance costs and to secure\n   volume discounts for applicable licenses. ELMT also distributes unused licenses by\n   negotiating license transferability into purchase agreements. Transferability is important\n   for large organizations like NASA where similar software is used often across various\n   programs and projects. For example, when a project ends and no longer needs specific\n   software, transferability allows other units to take ownership without added purchase\n   expenses.\n\n   From fiscal year 2009 through 2011, ELMT was involved in the purchase of seven software\n   applications that initially cost $27.3 million but were negotiated down to $19.1 million.\n   After accounting for ELMT costs of $2.4 million, NASA achieved a net savings of\n   $5.9 million through consolidations. Despite this success, we found that widespread use of\n   ELMT was minimal due to the limited availability of IT procurement requirement and\n   purchasing data in ProSight. Such information, if available and tailored appropriately, could\n   allow ELMT to review portfolio management information and consolidate IT security\n   assessment and monitoring tool requirements.\n\n   NASA Could Leverage its Purchasing Power by Consolidating IT\n   Security Assessment and Monitoring Tool Requirements and\n   Purchases\n\n   Because NASA\xe2\x80\x99s IT investment process does not adequately track technology\n   requirements and purchases, the Agency was unable to provide complete information in\n   support of our review. Accordingly, to determine the IT security assessment and\n   monitoring tools in use at NASA, we distributed questionnaires to the DCIO, 12 CISOs,\n   and 140 OCSOs. The questionnaire asked these officials to identify the IT security\n   assessment and monitoring tools they had procured to manage the following nine IT\n   security control areas common across all information systems: Intrusion Detection;\n\n   6\n       To help NASA reestablish an APM process, we provided the OCIO with the data on IT security\n       assessment and monitoring tools gathered during this audit.\n\n\n\nREPORT NO. IG-13-006                                                                                5\n\x0c                                                                                                 RESULTS\n\n\n\n    Network Traffic Monitoring; Log Event Management; Malware and Antivirus Protection;\n    Vulnerability Management; Patch Management; Firewall/Boundary Protection;\n    Configuration Management; and Governance, Risk, and Compliance (GRC).\n\n    Based on questionnaire responses received through June 2012 (73 percent), we found that\n    NASA spent $25.7 million on IT security assessment and monitoring tools across all\n    levels of the organization. Our results indicated that the OCIO, CISOs, and OCSOs at\n    NASA locations, Mission Directorates, programs, and projects made 242 separate\n    purchases of IT security assessment and monitoring tools at a cost of $19.9 million and\n    an additional $5.8 million in annual maintenance costs. Specifically, the OCIO spent\n    $7.3 million to purchase and $1.8 million annually to maintain IT security assessment\n    and monitoring tools while CISOs similarly spent $5.9 million to purchase and\n    $2.2 million annually to maintain IT security assessment and monitoring tools. OCSOs\n    supporting project systems spent $6.7 million to purchase and $1.8 million annually to\n    maintain IT security assessment and monitoring tools. Table 1 shows the combined\n    OCIO, CISO, and OCSO IT security tool purchases and expenditures within the nine IT\n    security control areas.\n\n                  Table 1. NASA Security Tool Purchases and Expenditures\n                                   Number of                         Annual\n            IT Security                             Purchase\n                                    Separate                        Maintenance         Totals\n           Control Area                              Costs\n                                   Purchases                          Costs\n\n      Intrusion Detection              23          $   3,033,215      $    713,926    $ 3,747,141\n\n      Network Traffic\n                                       34              2,869,551           541,707       3,411,258\n      Monitoring\n      Log Event Management             41              4,514,070           834,939       5,349,009\n      Malware and Antivirus\n                                       32                541,929           221,599         763,528\n      Protection\n      Vulnerability\n                                       32              1,659,297           636,562       2,295,859\n      Management\n      Patch Management                 11              1,324,467          1,121,812      2,446,279\n      Firewall/Boundary\n                                       43              3,650,492           732,298       4,382,790\n      Protection\n      Configuration\n                                       17                442,276           266,727         709,003\n      Management\n      Governance, Risk, and\n                                       9               1,899,645           734,012       2,633,657\n      Compliance (GRC)\n        Totals                         242         $ 19,934,942        $ 5,803,582    $ 25,738,524\n    Source: Based on OIG analysis of NASA reponses to survey questionnaire.\n\n    We determined that in multiple instances, the OCIO, CISOs, and OCSOs purchased the\n    same or similar tools for the nine IT security control areas, thereby indicating potential\n    missed opportunities for consolidation.\n\n\n6                                                                                REPORT NO. IG-13-006\n\x0cRESULTS\n\n\n\n      Intrusion Detection Tools. Intrusion detection tools monitor networks or systems\n      for malicious activities or policy violations. According to our survey, NASA made\n      23 separate purchases of 20 different intrusion detection tools at a cost of $3 million\n      with annual maintenance costs of $713,926. A NASA CISO and OCSO made two\n      separate purchases of the Basic Analysis and Security Engine Intrusion Detection\n      Tools at a cost of $85,000 and annual maintenance costs of $15,000. Another CISO\n      and OCSO made two separate purchases of the Forensic Access Data and Storage\n      Intrusion Detection Tools at a cost of $318,000 and annual maintenance costs of\n      $29,000. Additionally, the OCIO, CISOs, and OCSOs made 19 additional purchases\n      of 18 other intrusion detection tools at a cost of $2.6 million with annual maintenance\n      costs of $669,926.\n\n      Network Traffic Monitoring Tools. Network traffic monitoring examines network\n      performance and user behavior to help security program managers identify areas in\n      need of improvement. This information can be correlated with other sources of\n      information to create a comprehensive security picture. According to our survey,\n      NASA made 34 purchases of 24 different tools to monitor network traffic at a cost of\n      $2.9 million with annual maintenance costs of $541,707. One of the tools purchased\n      was Q-Radar, for which the OCIO and IT security personnel at three locations made\n      four separate purchases for $1.2 million and annual maintenance costs of $139,605.\n      In addition, IT security personnel at four locations made six purchases of Solar Winds\n      tools for $99,500, with annual maintenance costs of $59,559. The remaining\n      24 purchases involved 22 individual tools to perform network traffic monitoring at a\n      cost of $1.6 million with annual maintenance costs of $344,563.\n\n      Log and Event Management Tools. Log and event management tools alert system\n      administrators to potential security or other events on Agency networks and systems.\n      Third party assessments reported that NASA systems were lacking sufficient log\n      management capability in the past and that system administrators needed to better\n      monitor and maintain logs related to alerts generated by potential security events.\n      NASA made 41 separate purchases of 20 different log and event management tools at\n      a cost of $4.5 million with annual maintenance costs of $834,939. For example, the\n      OCIO, CISOs, and OCSOs made 12 separate purchases of Splunk to document what\n      events had occurred on a system and identify potential security threats at a cost of\n      $1.3 million and annual maintenance costs of $237,245. Two of the 12 purchases\n      were made by large projects located at the same NASA Center, and Agency officials\n      told us there was no coordination or consolidation of these purchases. Additionally,\n      NASA CISOs and OCSOs made 8 separate purchases of another product called\n      Net IQ for $1 million and annual maintenance costs of $159,384. Agency personnel\n      made 21 additional purchases of 18 other log event and management tools at a cost of\n      $2.2 million with annual maintenance costs of $438,310.\n\n      Malware and Antivirus Tools. Malware and Antivirus Tools protect against\n      software installed without the users knowledge designed to harm the computer or\n      steal information. The requirement for antivirus and malware protection is common\n      to all NASA information systems. We identified 32 separate purchases of malware\n\n\nREPORT NO. IG-13-006                                                                            7\n\x0c                                                                                   RESULTS\n\n\n\n    and antivirus tools at a cost of $541,929 with annual maintenance costs of $221,559.\n    For example, NASA CISOs and OCSOs made 19 separate purchases of Symantec\n    Malware and Antivirus protection tools at a cost of $486,703 and annual maintenance\n    costs of $129,128. In addition, in December 2010, NASA awarded the Agency\n    Consolidated End-user Services (ACES) contract that includes Symantec Antivirus\n    tools for all ACES end-users.\n\n    Vulnerability Management Tools. NASA employs vulnerability scanning tools to\n    scan IT assets at every NASA location to detect and mitigate vulnerabilities.\n    According to our survey, NASA made 32 separate purchases of vulnerability\n    management tools at a cost of $1.7 million with annual maintenance costs of\n    $636,562. To centrally manage vulnerability mitigation efforts, in 2005 the CIO\n    launched the Agency Vulnerability Assessment and Remediation (AVAR) program\n    and purchased McAfee Foundstone/McAfee Vulnerability Manager as the\n    Agency-wide solution at a cost of $364,973 and with annual maintenance costs of\n    $234,057. While NASA uses McAfee Vulnerability Manager to scan its\n    approximately 140,000 system components, such scanning is also being performed\n    under the Agency\xe2\x80\x99s ACES contract.\n\n    While the ACES contract was developed to consolidate NASA\xe2\x80\x99s IT services, we\n    identified duplication of efforts in its vulnerability management services.\n    Specifically, ACES uses Retina Network Security Scanner to perform scans on\n    approximately 32,200 of NASA\xe2\x80\x99s 140,000 system components. While the contractor\n    is performing scans and mitigating findings on those components, NASA\xe2\x80\x99s AVAR is\n    also performing vulnerability scans on those same 32,200 system components. The\n    OCIO could not provide cost data associated with the ACES vulnerability\n    management services. We also identified 30 additional purchases of vulnerability\n    management tools, which included 11 purchases of NESSUS, four purchases of IBM\n    App Scan, two purchases of HailStorm WebApp Scanner, and 13 purchases of\n    various other tools at a cost of $1.4 million and with annual maintenance costs of\n    $402,505.\n\n    Patch Management Tools. Patch management is the process for identifying,\n    acquiring, installing, and verifying patches for IT products and systems to correct\n    software security and functionality problems. To implement patch management,\n    NASA made 11 purchases of 9 different tools for $1.3 million with annual\n    maintenance costs of $1.1 million. According to our survey, the NASA OCIO\n    purchased KACE for $1.2 million and annual maintenance costs of $424,000. At the\n    same time, one CISO and seven OCSOs purchased eight different tools to perform\n    patch management functions for $98,467 with annual maintenance cost of $697,812.\n\n    Firewall/Boundary Protection Tools. Firewall/boundary protection tools protect\n    against internal or external intrusion of computer networks and are ubiquitous\n    throughout NASA\xe2\x80\x99s networks to monitor and control access. According to our\n    survey, NASA made 43 separate purchases of firewall/boundary protection tools at a\n    cost of $3.7 million with annual maintenance costs of $732,298. Specifically, the\n\n\n8                                                                    REPORT NO. IG-13-006\n\x0cRESULTS\n\n\n\n      OCIO, CISOs, and OCSOs made 20 separate purchases of Juniper boundary\n      protection tools at a cost of $3.1 million and annual maintenance costs of $450,135.\n      In addition, the CIO, OCSOs, and CISOs made 19 separate purchases of\n      CISCO/Check Point boundary protection devices at a cost of $577,000 with annual\n      maintenance costs of $353,000. Agency personnel also purchased four additional\n      firewall/boundary protection tools at a cost of $50,460.\n\n      Configuration Management Tools. Configuration management is a collection of\n      activities that seeks to establish and maintain the integrity of IT products and systems\n      through control of the processes for initializing, changing, and monitoring the\n      configurations of those products and systems throughout the system development life\n      cycle. According to our survey, NASA made 17 purchases of 15 different tools for\n      configuration management of NASA systems at an initial cost of $442,276 with\n      annual maintenance costs of $266,727.\n\n      Governance, Risk, and Compliance (GRC) Tools. FISMA mandates common\n      GRC requirements to manage system security plans, track the status and corrective\n      actions for deficiencies identified on NASA systems, and monitor the security posture\n      of its systems and associated components. NASA made 14 purchases of 12 different\n      tools to perform GRC activities at NASA locations at a cost of $1.7 million and\n      annual maintenance costs of $704,012. The following are four examples of GRC\n      expenditures at NASA:\n\n          \xc2\xb7   ITSC, a software suite that Marshall developed internally in 2003 and has annual\n              maintenance costs of $361,000. Although this product is available to all NASA\n              locations, only Marshall currently uses it.\n\n          \xc2\xb7   RMS from SecureInfo cost NASA $1.5 million and has annual maintenance\n              costs of $273,000. The OCIO purchased RMS in July 2005 as the Agency-wide\n              risk management software solution. Prior OIG reviews have noted that RMS was\n              not user-friendly and contained incomplete information; therefore, the Agency is\n              evaluating other solutions as potential replacements.\n\n          \xc2\xb7   Rsam was purchased by four Centers in August 2008 to meet many of the same\n              FISMA requirements as the RMS and ITSC tools. Rsam cost $372,339 with\n              annual maintenance costs of $80,412. Despite knowledge that RMS was the\n              required Agency-wide solution, Centers purchased Rsam to help satisfy their\n              FISMA requirements.\n\n          \xc2\xb7   The Information Technology Security Data Base was deployed in June 2000 at\n              the Jet Propulsion Laboratory to meet many of the same FISMA IT security\n              requirements that similar tools are meeting at other Centers.\n\n   Although there are information systems at NASA with unique security requirements, the\n   nine control areas can be assessed and monitored using a common set of tools. We\n   believe that uncoordinated purchases causes NASA to spend more than necessary on IT\n\n\nREPORT NO. IG-13-006                                                                             9\n\x0c                                                                                          RESULTS\n\n\n\n     security software because many of the software requirements are procured individually\n     each year versus leveraging economy of scale purchases through an enterprise purchase\n     agreement. Such purchases by individual NASA entities may also result in redundant\n     efforts by procurement and contract management staff and result in higher per license\n     cost and increased maintenance due to limited quantity procurements. Furthermore,\n     maintenance costs are often based on vendor resources used in maintaining individual\n     maintenance agreements and are typically calculated as a percentage of the initial\n     software purchase costs. By consolidating its requirements, reducing separate purchases,\n     and negotiating volume discounts, NASA could have further reduced the associated\n     annual maintenance costs.\n\n     We acknowledge that not all of the purchases identified in the nine IT security control\n     areas created duplication or could have been consolidated. However, we believe NASA\n     could more efficiently manage its widely distributed IT security systems by consolidating\n     requirements. NASA IT security, procurement, and capital planning officials\n     acknowledge overlap in the purchase of IT security tools across the Agency and agree\n     that NASA could benefit by consolidating efforts to leverage its buying power.\n\nConclusion\n\n     To achieve cost savings and standardize IT resources across the Agency, NASA needs to\n     consolidate IT security assessment and monitoring tool requirements prior to making\n     purchasing decisions. Full implementation of two current NASA systems could assist in\n     the effort to make more effective use of IT security funds by: 1) expanding the CPIC\n     process to capture detailed IT security application and cost data; and 2) revitalizing the\n     APM program to gain a better understanding of the Agency\xe2\x80\x99s IT security assessment and\n     monitoring tool environment. Using this data, the ELMT could identify IT security\n     assessment and monitoring tools for consolidation. Our survey found that NASA\xe2\x80\x99s\n     DCIO, CISOs, and OCSOs spent $25.7 million for tools that are either the same or\n     performed similar IT security management functions as other available software. We\n     believe NASA could have reduced its purchase costs and the associated annual\n     maintenance costs with a more effective IT investment management process that\n     captures, consolidates, and assesses IT security tool requirements across the Agency.\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of\n  Management\xe2\x80\x99s Response\n\nTo improve NASA\xe2\x80\x99s process for acquiring Agency-wide IT security assessment and\nmonitoring tools, we made the following recommendations to the Chief Information Officer:\n\nRecommendation 1. Ensure that IT application data capture is available to all NASA\nIT Investment Management System (ProSight) users.\n\n     Management\xe2\x80\x99s Response. The CIO concurred with our recommendation, stating that the\n     OCIO is in the process of migrating from ProSight to a new CPIC management tool,\n\n\n\n10                                                                         REPORT NO. IG-13-006\n\x0cRESULTS\n\n\n\n   eCPIC, and will utilize the Federal eCPIC Steering Committee to leverage ideas\n   regarding identifying and collecting data associated with investments and for tracking\n   and reducing spending in commodity IT areas, including for security tools. The OCIO\n   plans to complete the migration to eCPIC in April 2013, and will develop a plan to\n   implement the data collection process as part of the CPIC meeting scheduled for October\n   2013 and implement that plan by the end of FY 2014. In addition, work is underway to\n   define the current and target state of IT security tools and to develop a transition plan to\n   achieve the target state. This effort should be complete by the end of FY 2014.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are responsive;\n   therefore, the recommendation is resolved and will be closed upon verification and\n   completion of the proposed corrective actions.\n\nRecommendation 2. Require, as part of the CPIC process, that all Agency activities\nidentify their IT security assessment and monitoring tools and associated purchase and\nmaintenance costs in ProSight.\n\n   Management\xe2\x80\x99s Response. The CIO concurred with our recommendation stating that as\n   part of a new OMB initiative, PortfolioStat, the OCIO is assessing data requirements to\n   support effective reporting and decision making. PortfolioStat includes an assessment of\n   the IT security tools budget and whether opportunities exist for consolidation to eliminate\n   duplication. The OCIO has requested data from the Centers and Mission Directorates\n   and also plans to use data provided by the OIG during this review. Furthermore, the\n   OCIO is working with the Chief Financial Officer to determine if changes can be made to\n   the Agency\xe2\x80\x99s financial system that will provide enhanced granularity into IT spending\n   throughout the Agency and therefore enable decision makers to identify potential\n   investment/portfolio areas for consolidation. The OCIO is planning to complete these\n   actions by the end of FY 2015, assuming adequate resources are available to make any\n   necessary modifications to the financial system.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are responsive;\n   therefore, the recommendation is resolved and will be closed upon verification and\n   completion of the proposed corrective actions.\n\nRecommendation 3. Ensure that the captured data is routed through the ELMT for review\nand consolidation of IT security assessment and monitoring tools.\n\n   Management\xe2\x80\x99s Response. The CIO concurred with our recommendation stating that the\n   OCIO will establish accounts for the ELMT team in eCPIC in April 2013 when migration\n   and training activities are complete. The OCIO will also recommend that the ELMT be\n   represented on the CPIC Working Group and participate in working sessions to improve\n   CPIC activities.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are responsive;\n   therefore, the recommendation is resolved and will be closed upon verification and\n   completion of the proposed corrective actions.\n\n\nREPORT NO. IG-13-006                                                                              11\n\x0c                                                                                          RESULTS\n\n\n\nRecommendation 4. Once the above recommendations are implemented, determine if other\nnon-major commodity IT application data could be captured using the same process in an\neffort to reestablish an overall APM program.\n\n     Management\xe2\x80\x99s Response. The CIO concurred with our recommendation, stating OMB\xe2\x80\x99s\n     PortfolioStat process is providing a framework to collect data on high priority IT\n     spending areas. In the interim, the OCIO will continue to implement the annual\n     PortfolioStat processes and prioritize the highest value areas for consolidation to\n     eliminate duplication. The OCIO will also continue to identify candidates for\n     applications license consolidation in the Agency. The OCIO is planning to complete this\n     action by the end of FY 2015.\n\n     Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are responsive;\n     therefore, the recommendation is resolved and will be closed upon verification and\n     completion of the proposed corrective actions.\n\n\n\n\n12                                                                        REPORT NO. IG-13-006\n\x0cAPPENDIXES\n\n\n\n\n                                                                          APPENDIX A\n\n\nScope and Methodology\n\n   We performed this audit from October 2011 through January 2013 in accordance with\n   generally accepted government auditing standards. Those standards require that we plan\n   and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n   basis for our findings and conclusions based on our audit objectives. We believe that the\n   evidence obtained provides a reasonable basis for our findings and conclusions based on\n   our audit objectives.\n\n   To assess NASA\xe2\x80\x99s ability to gather and consolidate requirements for IT security\n   assessment and monitoring tools, we analyzed data obtained from the DCIO, CISOs, and\n   OCSOs though questionnaires and interviews. We also interviewed personnel from\n   ACES, AVAR, ELMT, and procurement across all NASA Centers about IT security\n   assessment and monitoring tools and acquisition processes, CPIC, and APM.\n\n   The questionnaires focused on tools purchased to manage nine IT security control areas \xe2\x80\x93\n   intrusion detection, network traffic monitoring, log event management, malware and\n   antivirus, vulnerability management, patch management, firewall/boundary protection,\n   configuration management, and GRC. We requested information for purchases and the\n   associated maintenance costs for tools currently in use.\n\n   We used three different questionnaires, with the questionnaire sent to the DCIO asking\n   specifically about tools purchased for an Agency-wide solution and additional questions\n   for the CISOs and OCSOs to identify the systems for which they were responsible. We\n   distributed 12 CISO questionnaires and 140 OCSO questionnaires, which included the\n   responsible IT security official for most of the Agency\xe2\x80\x99s computer systems as identified\n   in the system inventory. We distributed the questionnaires in October 2011. We\n   received responses from the DCIO, the CISOs, and 98 of the OCSOs by June 2012 \xe2\x80\x93\n   overall, a 73 percent response rate. Our analysis of questionnaire responses identified\n   what IT security assessment and monitoring tools the DCIO, CISOs, and OCSOs\n   purchased and the number of purchases that were made in the nine IT security control\n   areas.\n\n\n\n\nREPORT NO. IG-13-006                                                                           13\n\x0c                                                                                      APPENDIX A\n\n\n\n     Federal Laws, Regulations, Policies, and Guidance. We reviewed the following in the\n     course of our audit work:\n\n        \xc2\xb7   Information Technology Management Reform Act of 1996 (Clinger-Cohen Act)\n\n        \xc2\xb7   Executive Order 13589, \xe2\x80\x9cPromoting Efficient Spending,\xe2\x80\x9d November 9, 2011\n\n        \xc2\xb7   OMB Memorandum M-11-29, \xe2\x80\x9cChief Information Officer Authorities,\xe2\x80\x9d August 8,\n            2011\n\n        \xc2\xb7   OMB Memorandum M-12-10, \xe2\x80\x9cImplementing PortfolioStat,\xe2\x80\x9d March 30, 2012\n\n        \xc2\xb7   OMB Memorandum M-12-12, \xe2\x80\x9cPromoting Efficient Spending to Support Agency\n            Operations,\xe2\x80\x9d May 11, 2012\n\n        \xc2\xb7   NASA Policy Directive (NPD) 1000.0A, \xe2\x80\x9cNASA Governance and Strategic\n            Management Handbook,\xe2\x80\x9d August 13, 2008\n\n        \xc2\xb7   NPR 2800.1B, \xe2\x80\x9cManaging Information Technology,\xe2\x80\x9d March 20, 2009\n\n        \xc2\xb7   NPR 2810.1A, \xe2\x80\x9cSecurity of Information Technology (Revalidated with Change 1,\n            dated May 19, 2011)\xe2\x80\x9d\n\n        \xc2\xb7   NPR 7120.7, \xe2\x80\x9cNASA Information Technology and Institutional Infrastructure\n            Program and Project Manager Requirements,\xe2\x80\x9d November 3, 2008\n\n        \xc2\xb7   NASA OCIO Information Resources Management Strategic Plan, June 2011\n\n        \xc2\xb7   NASA Memorandum, \xe2\x80\x9cSolutions for Enterprise-Wide Procurement (SEWP)\n            Contract,\xe2\x80\x9d August 15, 2011\n\n        \xc2\xb7   NASA Memorandum, \xe2\x80\x9cFY09 Acquisition of IT Products and Service Guidance,\xe2\x80\x9d\n            March 27, 2008\n     Use of Computer-Processed Data. We did not use computer-processed data in the\n     performance of this audit. However, we did obtain information from the OCIO that was\n     a result of data manually entered into a spreadsheet to report NASA\xe2\x80\x99s System Inventory\n     and individuals (CISOs and OCSOs) responsible for the security of the systems included\n     in the inventory. This information was verified during the distribution of questionnaires\n     to all CISOs and OCSOs.\n\nReview of Internal Controls\n\n     We examined internal controls that would allow NASA to acquire IT security assessment\n     and monitoring tools, achieve efficiencies, improve integration and security, and ensure\n     alignment of IT with mission. We discussed the control weaknesses identified in the\n     Results section of this report. Our recommendations, if implemented, will improve those\n     identified weaknesses.\n\n\n14                                                                         REPORT NO. IG-13-006\n\x0cAPPENDIX A\n\n\n\nPrior Coverage\n\n   During the past five years, the NASA Office of Inspector General (OIG) issued one\n   report of particular relevance to the subject of this report: \xe2\x80\x9cFinal Memorandum on\n   Review of NASA\xe2\x80\x99s Consolidation of Information Technology Purchases under the\n   Outsourcing Desktop Initiative\xe2\x80\x9d (IG-09-001-R, November 6, 2008). Unrestricted reports\n   can be accessed over the Internet at http://oig.nasa.gov/audits/reports/FY13/index.html.\n\n\n\n\nREPORT NO. IG-13-006                                                                          15\n\x0c                                                                                    APPENDIX B\n\n\n\n\n                                                                   QUESTIONNAIRES\n\n     To collect information on IT security assessment and monitoring tools in use across the\n     Agency, we developed three different questionnaires: one for the DCIO, which focused\n     on tools purchased as Agency-wide solutions; one for CISOs; and one for OCSOs, which\n     included a section to identify the systems for which they were responsible.\n\n     Between October 19 and December 6, 2011, we distributed the questionnaires to the\n     DCIO, 12 CISOs, and 140 OCSOs. We received the DCIO\xe2\x80\x99s response January 4, 2012.\n     We received responses from all 12 CISOs by June 25, 2012. The last of the 98 responses\n     from OCSOs was received January 25, 2012. Overall, the response rate was 73 percent\n     (153 distributed and 111 returned).\n\n     Table 2 below summarizes the survey results.\n\n                         Table 2. Summary of Responses to Questionnaires\n                                       Return           Purchase Costs          Annual\n      Questionnaire Recipient           Rate              of IT Tools      Maintenance Costs\n       DCIO                         100% (1 of 1)        $ 7,340,973          $1,762,057\n       CISOs                        100% (12 of 12)        5,882,553           2,278,892\n       OCSOs                        70% (98 of 140)        6,711,416           1,762,633\n        Total                       73% (111 of 153)     $19,934,942          $5,803,582\n\n\n\n\n16                                                                       REPORT NO. IG-13-006\n\x0cAPPENDIX C\n\n\n\n\n                       MANAGEMENT COMMENTS\n\n\n\n\nREPORT NO. IG-13-006                         17\n\x0c              APPENDIX C\n\n\n\n\n18   REPORT NO. IG-13-006\n\x0cAPPENDIX C\n\n\n\n\nREPORT NO. IG-13-006   19\n\x0c                                                                                 APPENDIX D\n\n\n\n\n                                                          REPORT DISTRIBUTION\n\nNational Aeronautics and Space Administration\n\n     Administrator\n     Deputy Administrator\n     Chief of Staff\n     Associate Administrator for Aeronautics Research\n     Associate administrator for Science\n     Associate Administrator for Human Exploration and Operations\n     Chief Information Officer\n     Associate Chief Information Officer for Capital Planning and Governance\n     Deputy Chief Information Officer for Information Technology Security\n     Chief Acquisition Officer/Assistant Administrator for Procurement\n     NASA Advisory Council\xe2\x80\x99s Audit, Finance, and Analysis Committee\n\nNon-NASA Organizations and Individuals\n\n     Office of Management and Budget\n        Deputy Associate Director, Energy and Science Division\n            Branch Chief, Science and Space Programs Branch\n     Government Accountability Office\n        Director, Office of Acquisition and Sourcing Management\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Member\n\n     Senate Committee on Appropriations\n        Subcommittee on Commerce, Justice, Science, and Related Agencies\n     Senate Committee on Commerce, Science, and Transportation\n        Subcommittee on Science and Space\n     Senate Committee on Homeland Security and Governmental Affairs\n     House Committee on Appropriations\n        Subcommittee on Commerce, Justice, Science, and Related Agencies\n     House Committee on Oversight and Government Reform\n        Subcommittee on Government Organization, Efficiency, and Financial Management\n     House Committee on Science, Space, and Technology\n        Subcommittee on Oversight\n        Subcommittee on Space\n\n\n\n\n20                                                                      REPORT NO. IG-13-006\n\x0cMajor Contributors to the Report:\n   Wen Song, Director, Information Technology Directorate\n   Vincent Small, Project Manager\n   Bret Skalsky, Team Lead\n   Bessie Cox, Auditor\n   Chris Reeves, Information Technology Specialist\n   Mike Beims, Computer Engineer\n\n\n\n\nREPORT NO. IG-13-006                                        21\n\x0c                                                                                      MARCH 18, 2013\n                                                                        REPORT No. IG-13-006\n\n\n\n\n                                                                                  OFFICE OF AUDITS\n\n                                                                 OFFICE OF INSPECTOR GENERAL\n\n\n\n\nADDITIONAL COPIES\nVisit http://oig.nasa.gov/audits/reports/FY12/ to obtain additional copies of this report, or contact the\nAssistant Inspector General for Audits at 202-358-1232.\n\nCOMMENTS ON THIS REPORT\nIn order to help us improve the quality of our products, if you wish to comment on the quality or\nusefulness of this report, please send your comments to Mr. Laurence Hawkins, Audit Operations and\nQuality Assurance Director, at Laurence.B.Hawkins@nasa.gov or call 202-358-1543.\n\nSUGGESTIONS FOR FUTURE AUDITS\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for Audits.\nIdeas and requests can also be mailed to:\n      Assistant Inspector General for Audits\n      NASA Headquarters\n      Washington, DC 20546-0001\n\nNASA HOTLINE\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline at 800-424-9183 or\n800-535-8134 (TDD). You may also write to the NASA Inspector General, P.O. Box 23089, L\xe2\x80\x99Enfant\nPlaza Station, Washington, DC 20026, or use http://oig.nasa.gov/hotline.html#form. The identity of\neach writer and caller can be kept confidential, upon request, to the extent permitted by law.\n\x0c'